View Full Version : [SOLVED] Passing queries with double quotes in PHP mySQL

December 1st, 2009, 04:40 AM
How can I deal with users sending varibles with double quotes (") in PHP variables that will be used to build mySQL

I would like to allow users to store double quotes in the database, but how do I do that? In the example below, if someone puts a double quote in the Name variable, I am hosed.

$sql="INSERT INTO Recipes (recipe_name)
VALUES (\"$_POST[Name]\")";

echo "<p> the query: " . $sql . "</p>";

if (!mysql_query($sql,$con))
die('Error: ' . mysql_error());
echo "<p>1 record added to Recipe table</p> ";

December 1st, 2009, 04:42 AM

I'd look into that.

December 1st, 2009, 07:40 AM
You could also try the ereg_replace (http://php.net/manual/en/function.ereg-replace.php) function. Just do something like this.

$newString = ereg_replace("\"", "&quot;", $_POST[Name]);I think that will work :/

EDIT: Lame, I just realized that the function is depricated...